HCCA - CHPC Study (Certified in Healthcare
Privacy Compliance) Exam 2025–2026 Accurate
Real Exam Questions and Verified Correct
Answers
The HIPAA Privacy Rule covers:
a. Health plans
b. Health care clearinghouses
c. Health care providers who conduct certain financial and administrative transactions
electronically.
d. Life insurance companies
e. A, B and C only - answer>>>e. A, B and C only
Collectively, the rule covers only "Covered Entities". It does not cover or regulate employers, life
insurance companies, or public agencies that deliver social security or welfare benefits.
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must-comply-with-
hipaa- privacy-standards/index.html
What is a key concept of the Privacy Rule?
a. Training
b. Minimum necessary
c. Communication
d. Notice of Privacy Practices - answer>>>b. Minimum Necessary
The concept of "minimum necessary" is central to the Privacy Rule, and means to use or disclose
the minimum amount of PHI needed for the intended purpose.
How long does the Privacy Rule state that a practice or covered entity needs to retain medical
records?
a. Five years
1|Page
,b. Not stated
c. Six years
d. Seven years - answer>>>b. Not stated
The Privacy Rule does not include medical record retention requirements and covered entities may
destroy such records at the time permitted by state or other applicable law.
Note: practice question from AAPC CPCO Ch5
The Privacy Rule does not restrict the use or disclosure of , which neither
identifies nor provides a reasonable basis to identify an individual.
a. non-protected health information (non-PHI)
b. reverse PHI
c. regulated PHI
d. de-identified health information - answer>>>d. de-identified health information.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
Protected health information (PHI) is considered de-identified by HIPAA Privacy Rule standards by:
a. absence of actual knowledge by the covered entity that the remaining information could be
used alone or in combination with other information to identify the individual
b. removal of only patient name and date of birth
c. a formal determination by a qualified expert
d. the removal of 18 specified individual identifiers
e. A, C and D
f. All of the answers - answer>>>e. A, C and D
The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified
expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge
2|Page
,by the covered entity that the remaining information could be used alone or in combination with
other information to identify the individual.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html#preparation
True or False:
The Privacy Rule generally requires covered entities to take reasonable steps to limit uses,
disclosures, or requests (if the request is to another covered entity) of protected health
information (PHI) to the minimum necessary to accomplish the intended purpose, known as the
minimum necessary standard. - answer>>>TRUE
Ref. Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d)
True or False:
The HIPAA Privacy Rule does not restrict pharmacists to give advice about over-the-counter
medicines to customers. - answer>>>TRUE
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/treatment-disclosures/index.html or See
45 CFR 164.502(a)(1)(i).
A health care provider wants to disclose protected health information (PHI) about a student to a
school nurse or physician. Does the HIPAA Privacy Rule allow this?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to
school nurses, physicians, or other health care providers for treatment purposes, without the
authorization of the student or student's parent.
OR
No. The HIPAA Privacy Rule mandates parental consent in this case. - answer>>>Yes!
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
True or False:
The HIPAA Privacy Rule applies to all forms of patients' protected health information, whether
electronic, written, or oral. In contrast, the Security Rule covers only protected health information
that is in electronic form. - answer>>>TRUE
3|Page
, https://www.hhs.gov/hipaa/for-professionals/faq/2010/does-the-security-rule-apply-to-written-
and-oral-communications/index.html
The HIPAA Privacy Rule retraining of workforce
a. After a material change in policy
b. 6 months after initial training
c. Every other year
d. After violation - answer>>>a. After a material change in policy
In developing a privacy monitoring plan, a privacy professional should initially focus on:
a. Discussion with the business owners
b. Presentation to the BOD
c. Reviewing disciplinary actions
d. Implementing mitigating activities - answer>>>a. Discussion with the business owners
An agency investigating a complaint of a HIPAA privacy violation contacts the facility for patient
information. The facility's policy should be to disclose all information:
a. If a search warrant is presented
b. That is required by state law
c. If the patients have been informed
d. Requested except for PHI - answer>>>b. That is required by state law
Which of the following privacy laws relates to protection of financial information?
a. ADA
b. HIPAA
c. HITECH
d. GLBA - answer>>>d. GLBA
Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999,
includes The Financial Privacy Rule and The Safeguards Rule requires all financial institutions to
protect customer's personal financial information.
4|Page
Privacy Compliance) Exam 2025–2026 Accurate
Real Exam Questions and Verified Correct
Answers
The HIPAA Privacy Rule covers:
a. Health plans
b. Health care clearinghouses
c. Health care providers who conduct certain financial and administrative transactions
electronically.
d. Life insurance companies
e. A, B and C only - answer>>>e. A, B and C only
Collectively, the rule covers only "Covered Entities". It does not cover or regulate employers, life
insurance companies, or public agencies that deliver social security or welfare benefits.
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must-comply-with-
hipaa- privacy-standards/index.html
What is a key concept of the Privacy Rule?
a. Training
b. Minimum necessary
c. Communication
d. Notice of Privacy Practices - answer>>>b. Minimum Necessary
The concept of "minimum necessary" is central to the Privacy Rule, and means to use or disclose
the minimum amount of PHI needed for the intended purpose.
How long does the Privacy Rule state that a practice or covered entity needs to retain medical
records?
a. Five years
1|Page
,b. Not stated
c. Six years
d. Seven years - answer>>>b. Not stated
The Privacy Rule does not include medical record retention requirements and covered entities may
destroy such records at the time permitted by state or other applicable law.
Note: practice question from AAPC CPCO Ch5
The Privacy Rule does not restrict the use or disclosure of , which neither
identifies nor provides a reasonable basis to identify an individual.
a. non-protected health information (non-PHI)
b. reverse PHI
c. regulated PHI
d. de-identified health information - answer>>>d. de-identified health information.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html
Protected health information (PHI) is considered de-identified by HIPAA Privacy Rule standards by:
a. absence of actual knowledge by the covered entity that the remaining information could be
used alone or in combination with other information to identify the individual
b. removal of only patient name and date of birth
c. a formal determination by a qualified expert
d. the removal of 18 specified individual identifiers
e. A, C and D
f. All of the answers - answer>>>e. A, C and D
The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified
expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge
2|Page
,by the covered entity that the remaining information could be used alone or in combination with
other information to identify the individual.
Ref. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-
identification/index.html#preparation
True or False:
The Privacy Rule generally requires covered entities to take reasonable steps to limit uses,
disclosures, or requests (if the request is to another covered entity) of protected health
information (PHI) to the minimum necessary to accomplish the intended purpose, known as the
minimum necessary standard. - answer>>>TRUE
Ref. Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d)
True or False:
The HIPAA Privacy Rule does not restrict pharmacists to give advice about over-the-counter
medicines to customers. - answer>>>TRUE
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/treatment-disclosures/index.html or See
45 CFR 164.502(a)(1)(i).
A health care provider wants to disclose protected health information (PHI) about a student to a
school nurse or physician. Does the HIPAA Privacy Rule allow this?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to
school nurses, physicians, or other health care providers for treatment purposes, without the
authorization of the student or student's parent.
OR
No. The HIPAA Privacy Rule mandates parental consent in this case. - answer>>>Yes!
Ref. https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
True or False:
The HIPAA Privacy Rule applies to all forms of patients' protected health information, whether
electronic, written, or oral. In contrast, the Security Rule covers only protected health information
that is in electronic form. - answer>>>TRUE
3|Page
, https://www.hhs.gov/hipaa/for-professionals/faq/2010/does-the-security-rule-apply-to-written-
and-oral-communications/index.html
The HIPAA Privacy Rule retraining of workforce
a. After a material change in policy
b. 6 months after initial training
c. Every other year
d. After violation - answer>>>a. After a material change in policy
In developing a privacy monitoring plan, a privacy professional should initially focus on:
a. Discussion with the business owners
b. Presentation to the BOD
c. Reviewing disciplinary actions
d. Implementing mitigating activities - answer>>>a. Discussion with the business owners
An agency investigating a complaint of a HIPAA privacy violation contacts the facility for patient
information. The facility's policy should be to disclose all information:
a. If a search warrant is presented
b. That is required by state law
c. If the patients have been informed
d. Requested except for PHI - answer>>>b. That is required by state law
Which of the following privacy laws relates to protection of financial information?
a. ADA
b. HIPAA
c. HITECH
d. GLBA - answer>>>d. GLBA
Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999,
includes The Financial Privacy Rule and The Safeguards Rule requires all financial institutions to
protect customer's personal financial information.
4|Page
